Comodo的HIPS和Firewall测试程序，骗人的把戏

softkiller

“5种安全及HIPS（主机防御系统）的功能性测试。
HIPS测试中软件各使用了两套不同的方法模拟RootKit安装和DLL注入。软件同时支持BITS服务劫持测试。BITS服务允许程序通过被信任的服务宿主（svchost.exe）从网络下载程序。
详情：http://personalfirewall.comodo.com/cltinfo.html
程序：http://download.comodo.com/securitytests/CLT.zip
一项一项的测试，微点只能过第一个，剩下四项一个都没拦住。”

0040135E   call dword ptr ds:[<&ntdll.ZwCreatePort>]                  ntdll.ZwCreatePort

0040164E   call dword ptr ds:[<&ntdll.ZwOpenProcess>]                 ntdll.ZwOpenProcess

0040125B   call dword ptr ds:[<&ntdll.ZwQuerySystemInformation>]      ntdll.ZwQuerySystemInformation    00DEFEE4   00000005  |InfoType = SystemProcessThreadInfo

0040194A   call dword ptr ds:[<&ntdll.ZwQueueApcThread>]              ntdll.ZwQueueApcThread      最终动作貌似给svchost主线程插apc进去
0040186A   call dword ptr ds:[<&ntdll.ZwSetSystemInformation>]        ntdll.ZwSetSystemInformation   调用SystemLoadImage 功能，不说了很早的加载驱动功能

骗人的把戏，那这种东西判断行为太粗浅了，这东西说实话都不配测试微点，那几个函数相关参数好多都是正常软件行为，hips就是hips，微点就是微点，有些东西感觉微点根本用不到，同类木马一样死光光。OD不是很好跟这种程序，凑活着吧

很多人误认为hips如果有白名单就能够智能判断 就能成为微点了  他们为什么不想想 假如微点没有白名单拿掉白名单的话 会不会拦截正常软件的行为？
不会！ 而HIPS却会拦截  答案就是微点具有识别判断正常程序行为的能力  hips不具备判断正常程序行为的能力--这是HIPS和微点的最根本区别之一  

我说的是正常程序行为还不算判断病毒行为等其他主动防御技术   微点可以判断识别出 不会像hips那样都去拦截它 没有白名单的情况下（白名单是指具有病毒行为的正常程序签名库）

[ 本帖最后由 softkiller 于 2008-6-23 18:09 编辑 ]

polly5771

我无语了LZ真该去HIPS区多学习一下

骗人的把戏，那这种东西判断行为太粗浅了，这东西说实话都不配测试微点

这个东西，主要是用来测试规则型HIPS的。对于行为分析安软没多大意义。拿这东西测微点，是你用错了地方，怎么说人家骗人？怎来“不配”一说？？

微点具有识别判断正常程序行为的能力  hips不具备判断正常程序行为的能力--这是HIPS和微点的最根本区别之一

我也研究过几种智能HIPS，TF，NAB，Mamutu。得出的结论，MP本质就是个智能型HIPS，外加特征码，防火墙和一些辅助功能。HIPS和微点的根本区别？微点本质就是HIPS!!  而且，行为分析可以部分区分正常软件和恶意软件，但它们之间没有绝对界限！行为分析松紧度决定漏报率和误报率，白名单可以降低误报率。微点采取的方法，明显是较严格的行为分析+白名单+关键单步行为防护！才实现了低漏报和低误报的统一。

[ 本帖最后由 polly5771 于 2008-6-23 18:25 编辑 ]

周勃

微点只能通过第一个测试，後面四个都通不过？不管怎么样，看到测试结果有点失落感也。

[ 本帖最后由 周勃 于 2008-6-23 18:15 编辑 ]

fatelinegod

   对楼主很晕  你测试下TF之类再敢说微点多特殊多特殊   微点要是完美了也就没意思了  还有很长的路要走   

maxutao

楼主在干嘛

niels

不懂就别乱说，干掉微点的白名单，winrar都被拦，要不要试试？
就知道维护你的微点，恰恰引起别人的反感。
好好一软件，就被你们这些人整的比火狐还恶心。

不好意思，编辑下文明用语

[ 本帖最后由 niels 于 2008-6-23 18:56 编辑 ]

zhiyan

反正 我基本不用国产的,第一是不怎么厚道;第二是"关起门了自我陶醉和自我感觉良好"似的牛烘烘;第三是为了......

-oAo-

我只用免费的

黄金马甲出租

谁给我改成这样子了，彻底无语。。。。。。。。。。。。。。。。貌似这只是三个行为，记得还有远程线程和beep大法，说他骗人和不配其实是因为行为真的太少了，用五个不常见的行为来测试hips未免也太笼统了吧
看看这些api被病毒调用后哪个又不是恶意行为了呢？

CcCanIWrite
CcCopyRead
CcCopyWrite
CcDeferWrite
CcFastCopyRead
CcFastCopyWrite
CcFastMdlReadWait
CcFastReadNotPossible
CcFastReadWait
CcFlushCache
CcGetDirtyPages
CcGetFileObjectFromBcb
CcGetFileObjectFromSectionPtrs
CcGetFlushedValidData
CcGetLsnForFileObject
CcInitializeCacheMap
CcIsThereDirtyData
CcMapData
CcMdlRead
CcMdlReadComplete
CcMdlWriteAbort
CcMdlWriteComplete
CcPinMappedData
CcPinRead
CcPrepareMdlWrite
CcPreparePinWrite
CcPurgeCacheSection
CcRemapBcb
CcRepinBcb
CcScheduleReadAhead
CcSetAdditionalCacheAttributes
CcSetBcbOwnerPointer
CcSetDirtyPageThreshold
CcSetDirtyPinnedData
CcSetFileSizes
CcSetLogHandleForFile
CcSetReadAheadGranularity
CcUninitializeCacheMap
CcUnpinData
CcUnpinDataForThread
CcUnpinRepinnedBcb
CcWaitForCurrentLazyWriterActivity
CcZeroData
ExAcquireFastMutexUnsafe
ExAcquireResourceExclusiveLite
ExAcquireResourceSharedLite
ExAcquireRundownProtection
ExAcquireRundownProtectionEx
ExAcquireSharedStarveExclusive
ExAcquireSharedWaitForExclusive
ExAllocateFromPagedLookasideList
ExAllocatePool
ExAllocatePoolWithQuota
ExAllocatePoolWithQuotaTag
ExAllocatePoolWithTag
ExAllocatePoolWithTagPriority
ExConvertExclusiveToSharedLite
ExCreateCallback
ExDeleteNPagedLookasideList
ExDeletePagedLookasideList
ExDeleteResourceLite
ExDesktopObjectType
ExDisableResourceBoostLite
ExEnumHandleTable
ExEventObjectType
ExExtendZone
ExFreePool
ExFreePoolWithTag
ExFreeToPagedLookasideList
ExGetCurrentProcessorCounts
ExGetCurrentProcessorCpuUsage
ExGetExclusiveWaiterCount
ExGetPreviousMode
ExGetSharedWaiterCount
ExInitializeNPagedLookasideList
ExInitializePagedLookasideList
ExInitializeResourceLite
ExInitializeRundownProtection
ExInitializeZone
ExInterlockedAddLargeInteger
ExInterlockedAddLargeStatistic
ExInterlockedAddUlong
ExInterlockedCompareExchange64
ExInterlockedDecrementLong
ExInterlockedExchangeUlong
ExInterlockedExtendZone
ExInterlockedFlushSList
ExInterlockedIncrementLong
ExInterlockedInsertHeadList
ExInterlockedInsertTailList
ExInterlockedPopEntryList
ExInterlockedPopEntrySList
ExInterlockedPushEntryList
ExInterlockedPushEntrySList
ExInterlockedRemoveHeadList
ExIsProcessorFeaturePresent
ExIsResourceAcquiredExclusiveLite
ExIsResourceAcquiredSharedLite
ExLocalTimeToSystemTime
ExNotifyCallback
ExQueryPoolBlockSize
ExQueueWorkItem
ExRaiseAccessViolation
ExRaiseDatatypeMisalignment
ExRaiseException
ExRaiseHardError
ExRaiseStatus
ExReInitializeRundownProtection
ExRegisterCallback
ExReinitializeResourceLite
ExReleaseFastMutexUnsafe
ExReleaseResourceForThreadLite
ExReleaseResourceLite
ExReleaseRundownProtection
ExReleaseRundownProtectionEx
ExRundownCompleted
ExSemaphoreObjectType
ExSetResourceOwnerPointer
ExSetTimerResolution
ExSystemExceptionFilter
ExSystemTimeToLocalTime
ExUnregisterCallback
ExUuidCreate
ExVerifySuite
ExWaitForRundownProtectionRelease
ExWindowStationObjectType
ExfAcquirePushLockExclusive
ExfAcquirePushLockShared
ExfInterlockedAddUlong
ExfInterlockedCompareExchange64
ExfInterlockedInsertHeadList
ExfInterlockedInsertTailList
ExfInterlockedPopEntryList
ExfInterlockedPushEntryList
ExfInterlockedRemoveHeadList
ExfReleasePushLock
IoAcquireCancelSpinLock
IoAcquireRemoveLockEx
IoAcquireVpbSpinLock
IoAdapterObjectType
IoAllocateAdapterChannel
IoAllocateController
IoAllocateDriverObjectExtension
IoAllocateErrorLogEntry
IoAllocateIrp
IoAllocateMdl
IoAllocateWorkItem
IoAssignDriveLetters
IoAssignResources
IoAttachDevice
IoAttachDeviceByPointer
IoAttachDeviceToDeviceStack
IoAttachDeviceToDeviceStackSafe
IoBuildAsynchronousFsdRequest
IoBuildDeviceIoControlRequest
IoBuildPartialMdl
IoBuildSynchronousFsdRequest
IoCallDriver
IoCancelFileOpen
IoCancelIrp
IoCheckDesiredAccess
IoCheckEaBufferValidity
IoCheckFunctionAccess
IoCheckQuerySetFileInformation
IoCheckQuerySetVolumeInformation
IoCheckQuotaBufferValidity
IoCheckShareAccess
IoCompleteRequest
IoConnectInterrupt
IoCreateController
IoCreateDevice
IoCreateDisk
IoCreateDriver
IoCreateFile
IoCreateFileSpecifyDeviceObjectHint
IoCreateNotificationEvent
IoCreateStreamFileObject
IoCreateStreamFileObjectEx
IoCreateStreamFileObjectLite
IoCreateSymbolicLink
IoCreateSynchronizationEvent
IoCreateUnprotectedSymbolicLink
IoCsqInitialize
IoCsqInsertIrp
IoCsqRemoveIrp
IoCsqRemoveNextIrp
IoDeleteController
IoDeleteDevice
IoDeleteDriver
IoDeleteSymbolicLink
IoDetachDevice
IoDeviceHandlerObjectSize
IoDeviceHandlerObjectType
IoDeviceObjectType
IoDisconnectInterrupt
IoDriverObjectType
IoEnqueueIrp
IoEnumerateDeviceObjectList
IoEnumerateRegisteredFiltersList
IoFastQueryNetworkAttributes
IoFileObjectType
IoForwardAndCatchIrp
IoForwardIrpSynchronously
IoFreeController
IoFreeErrorLogEntry
IoFreeIrp
IoFreeMdl
IoFreeWorkItem
IoGetAttachedDevice
IoGetAttachedDeviceReference
IoGetBaseFileSystemDeviceObject
IoGetBootDiskInformation
IoGetConfigurationInformation
IoGetCurrentProcess
IoGetDeviceAttachmentBaseRef
IoGetDeviceInterfaceAlias
IoGetDeviceInterfaces
IoGetDeviceObjectPointer
IoGetDeviceProperty
IoGetDeviceToVerify
IoGetDiskDeviceObject
IoGetDmaAdapter
IoGetDriverObjectExtension
IoGetFileObjectGenericMapping
IoGetInitialStack
IoGetLowerDeviceObject
IoGetRelatedDeviceObject
IoGetRequestorProcess
IoGetRequestorProcessId
IoGetRequestorSessionId
IoGetStackLimits
IoGetTopLevelIrp
IoInitializeIrp
IoInitializeRemoveLockEx
IoInitializeTimer
IoInvalidateDeviceRelations
IoInvalidateDeviceState
IoIsFileOriginRemote
IoIsOperationSynchronous
IoIsSystemThread
IoIsValidNameGraftingBuffer
IoIsWdmVersionAvailable
IoMakeAssociatedIrp
IoOpenDeviceInterfaceRegistryKey
IoOpenDeviceRegistryKey
IoPageRead
IoPnPDeliverServicePowerNotification
IoQueryDeviceDescription
IoQueryFileDosDeviceName
IoQueryFileInformation
IoQueryVolumeInformation
IoQueueThreadIrp
IoQueueWorkItem
IoRaiseHardError
IoRaiseInformationalHardError
IoReadDiskSignature
IoReadOperationCount
IoReadPartitionTable
IoReadPartitionTableEx
IoReadTransferCount
IoRegisterBootDriverReinitialization
IoRegisterDeviceInterface
IoRegisterDriverReinitialization
IoRegisterFileSystem
IoRegisterFsRegistrationChange
IoRegisterLastChanceShutdownNotification
IoRegisterPlugPlayNotification
IoRegisterShutdownNotification
IoReleaseCancelSpinLock
IoReleaseRemoveLockAndWaitEx
IoReleaseRemoveLockEx
IoReleaseVpbSpinLock
IoRemoveShareAccess
IoReportDetectedDevice
IoReportHalResourceUsage
IoReportResourceForDetection
IoReportResourceUsage
IoReportTargetDeviceChange
IoReportTargetDeviceChangeAsynchronous
IoRequestDeviceEject
IoReuseIrp
IoSetCompletionRoutineEx
IoSetDeviceInterfaceState
IoSetDeviceToVerify
IoSetFileOrigin
IoSetHardErrorOrVerifyDevice
IoSetInformation
IoSetIoCompletion
IoSetPartitionInformation
IoSetPartitionInformationEx
IoSetShareAccess
IoSetStartIoAttributes
IoSetSystemPartition
IoSetThreadHardErrorMode
IoSetTopLevelIrp
IoStartNextPacket
IoStartNextPacketByKey
IoStartPacket
IoStartTimer
IoStatisticsLock
IoStopTimer
IoSynchronousInvalidateDeviceRelations
IoSynchronousPageWrite
IoThreadToProcess
IoUnregisterFileSystem
IoUnregisterFsRegistrationChange
IoUnregisterPlugPlayNotification
IoUnregisterShutdownNotification
IoUpdateShareAccess
IoValidateDeviceIoControlAccess
IoVerifyPartitionTable
IoVerifyVolume
IoVolumeDeviceToDosName
IoWMIAllocateInstanceIds
IoWMIDeviceObjectToInstanceName
IoWMIExecuteMethod
IoWMIHandleToInstanceName
IoWMIOpenBlock
IoWMIQueryAllData
IoWMIQueryAllDataMultiple
IoWMIQuerySingleInstance
IoWMIQuerySingleInstanceMultiple
IoWMIRegistrationControl
IoWMISetNotificationCallback
IoWMISetSingleInstance
IoWMISetSingleItem
IoWMISuggestInstanceName
IoWMIWriteEvent
IoWriteErrorLogEntry
IoWriteOperationCount
IoWritePartitionTable
IoWritePartitionTableEx
IoWriteTransferCount
IofCallDriver
IofCompleteRequest
Ke386CallBios
Ke386IoSetAccessProcess
Ke386QueryIoAccessMap
Ke386SetIoAccessMap
KeAcquireInStackQueuedSpinLockAtDpcLevel
KeAcquireInterruptSpinLock
KeAcquireSpinLockAtDpcLevel
KeAddSystemServiceTable
KeAreApcsDisabled
KeAttachProcess
KeBugCheck
KeBugCheckEx
KeCancelTimer
KeCapturePersistentThreadState
KeClearEvent
KeConnectInterrupt
KeDcacheFlushCount
KeDelayExecutionThread
KeDeregisterBugCheckCallback
KeDeregisterBugCheckReasonCallback
KeDetachProcess
KeDisconnectInterrupt
KeEnterCriticalRegion
KeEnterKernelDebugger
KeFindConfigurationEntry
KeFindConfigurationNextEntry
KeFlushEntireTb
KeFlushQueuedDpcs
KeGetCurrentThread
KeGetPreviousMode
KeGetRecommendedSharedDataAlignment
KeI386AbiosCall
KeI386AllocateGdtSelectors
KeI386Call16BitCStyleFunction
KeI386Call16BitFunction
KeI386FlatToGdtSelector
KeI386GetLid
KeI386MachineType
KeI386ReleaseGdtSelectors
KeI386ReleaseLid
KeI386SetGdtSelector
KeIcacheFlushCount
KeInitializeApc
KeInitializeDeviceQueue
KeInitializeDpc
KeInitializeEvent
KeInitializeInterrupt
KeInitializeMutant
KeInitializeMutex
KeInitializeQueue
KeInitializeSemaphore
KeInitializeSpinLock
KeInitializeTimer
KeInitializeTimerEx
KeInsertByKeyDeviceQueue
KeInsertDeviceQueue
KeInsertHeadQueue
KeInsertQueue
KeInsertQueueApc
KeInsertQueueDpc
KeIsAttachedProcess
KeIsExecutingDpc
KeLeaveCriticalRegion
KeLoaderBlock
KeNumberProcessors
KeProfileInterrupt
KeProfileInterruptWithSource
KePulseEvent
KeQueryActiveProcessors
KeQueryInterruptTime
KeQueryPriorityThread
KeQueryRuntimeThread
KeQuerySystemTime
KeQueryTickCount
KeQueryTimeIncrement
KeRaiseUserException
KeReadStateEvent
KeReadStateMutant
KeReadStateMutex
KeReadStateQueue
KeReadStateSemaphore
KeReadStateTimer
KeRegisterBugCheckCallback
KeRegisterBugCheckReasonCallback
KeReleaseInStackQueuedSpinLockFromDpcLevel
KeReleaseInterruptSpinLock
KeReleaseMutant
KeReleaseMutex
KeReleaseSemaphore
KeReleaseSpinLockFromDpcLevel
KeRemoveByKeyDeviceQueue
KeRemoveByKeyDeviceQueueIfBusy
KeRemoveDeviceQueue
KeRemoveEntryDeviceQueue
KeRemoveQueue
KeRemoveQueueDpc
KeRemoveSystemServiceTable
KeResetEvent
KeRestoreFloatingPointState
KeRevertToUserAffinityThread
KeRundownQueue
KeSaveFloatingPointState
KeSaveStateForHibernate
KeServiceDescriptorTable
KeSetAffinityThread
KeSetBasePriorityThread
KeSetDmaIoCoherency
KeSetEvent
KeSetEventBoostPriority
KeSetIdealProcessorThread
KeSetImportanceDpc
KeSetKernelStackSwapEnable
KeSetPriorityThread
KeSetProfileIrql
KeSetSystemAffinityThread
KeSetTargetProcessorDpc
KeSetTimeIncrement
KeSetTimeUpdateNotifyRoutine
KeSetTimer
KeSetTimerEx
KeStackAttachProcess
KeSynchronizeExecution
KeTerminateThread
KeTickCount
KeUnstackDetachProcess
KeUpdateRunTime
KeUpdateSystemTime
KeUserModeCallback
KeWaitForMultipleObjects
KeWaitForMutexObject
KeWaitForSingleObject
KefAcquireSpinLockAtDpcLevel
KefReleaseSpinLockFromDpcLevel
Kei386EoiHelper
KiAcquireSpinLock
KiBugCheckData
KiCoprocessorError
KiDeliverApc
KiDispatchInterrupt
KiEnableTimerWatchdog
KiIpiServiceRoutine
KiReleaseSpinLock
KiUnexpectedInterrupt
Kii386SpinOnSpinLock
LdrAccessResource
LdrEnumResources
LdrFindResourceDirectory_U
LdrFindResource_U
LpcPortObjectType
LpcRequestPort
LpcRequestWaitReplyPort
LsaCallAuthenticationPackage
LsaDeregisterLogonProcess
LsaFreeReturnBuffer
LsaLogonUser
LsaLookupAuthenticationPackage
LsaRegisterLogonProcess
Mm64BitPhysicalAddress
MmAddPhysicalMemory
MmAddVerifierThunks
MmAdjustWorkingSetSize
MmAdvanceMdl
MmAllocateContiguousMemory
MmAllocateContiguousMemorySpecifyCache
MmAllocateMappingAddress
MmAllocateNonCachedMemory
MmAllocatePagesForMdl
MmBuildMdlForNonPagedPool
MmCanFileBeTruncated
MmCommitSessionMappedView
MmCreateMdl
MmCreateSection
MmDisableModifiedWriteOfSection
MmFlushImageSection
MmForceSectionClosed
MmFreeContiguousMemory
MmFreeContiguousMemorySpecifyCache
MmFreeMappingAddress
MmFreeNonCachedMemory
MmFreePagesFromMdl
MmGetPhysicalAddress
MmGetPhysicalMemoryRanges
MmGetSystemRoutineAddress
MmGetVirtualForPhysical
MmGrowKernelStack
MmHighestUserAddress
MmIsAddressValid
MmIsDriverVerifying
MmIsNonPagedSystemAddressValid
MmIsRecursiveIoFault
MmIsThisAnNtAsSystem
MmIsVerifierEnabled
MmLockPagableDataSection
MmLockPagableImageSection
MmLockPagableSectionByHandle
MmMapIoSpace
MmMapLockedPages
MmMapLockedPagesSpecifyCache
MmMapLockedPagesWithReservedMapping
MmMapMemoryDumpMdl
MmMapUserAddressesToPage
MmMapVideoDisplay
MmMapViewInSessionSpace
MmMapViewInSystemSpace
MmMapViewOfSection
MmMarkPhysicalMemoryAsBad
MmMarkPhysicalMemoryAsGood
MmPageEntireDriver
MmPrefetchPages
MmProbeAndLockPages
MmProbeAndLockProcessPages
MmProbeAndLockSelectedPages
MmProtectMdlSystemAddress
MmQuerySystemSize
MmRemovePhysicalMemory
MmResetDriverPaging
MmSectionObjectType
MmSecureVirtualMemory
MmSetAddressRangeModified
MmSetBankedSection
MmSizeOfMdl
MmSystemRangeStart
MmTrimAllSystemPagableMemory
MmUnlockPagableImageSection
MmUnlockPages
MmUnmapIoSpace
MmUnmapLockedPages
MmUnmapReservedMapping
MmUnmapVideoDisplay
MmUnmapViewInSessionSpace
MmUnmapViewInSystemSpace
MmUnmapViewOfSection
MmUnsecureVirtualMemory
MmUserProbeAddress
NlsAnsiCodePage
NlsLeadByteInfo
NlsMbCodePageTag
NlsMbOemCodePageTag
NlsOemCodePage
NlsOemLeadByteInfo
NtAddAtom
NtAdjustPrivilegesToken
NtAllocateLocallyUniqueId
NtAllocateUuids
NtAllocateVirtualMemory
NtBuildNumber
NtClose
NtConnectPort
NtCreateEvent
NtCreateFile
NtCreateSection
NtDeleteAtom
NtDeleteFile
NtDeviceIoControlFile
NtDuplicateObject
NtDuplicateToken
NtFindAtom
NtFreeVirtualMemory
NtFsControlFile
NtGlobalFlag
NtLockFile
NtMakePermanentObject
NtMapViewOfSection
NtNotifyChangeDirectoryFile
NtOpenFile
NtOpenProcess
NtOpenProcessToken
NtOpenProcessTokenEx
NtOpenThread
NtOpenThreadToken
NtOpenThreadTokenEx
NtQueryDirectoryFile
NtQueryEaFile
NtQueryInformationAtom
NtQueryInformationFile
NtQueryInformationProcess
NtQueryInformationThread
NtQueryInformationToken
NtQueryQuotaInformationFile
NtQuerySecurityObject
NtQuerySystemInformation
NtQueryVolumeInformationFile
NtReadFile
NtRequestPort
NtRequestWaitReplyPort
NtSetEaFile
NtSetEvent
NtSetInformationFile
NtSetInformationProcess
NtSetInformationThread
NtSetQuotaInformationFile
NtSetSecurityObject
NtSetVolumeInformationFile
NtShutdownSystem
NtTraceEvent
NtUnlockFile
NtVdmControl
NtWaitForSingleObject
NtWriteFile
ObAssignSecurity
ObCheckCreateObjectAccess
ObCheckObjectAccess
ObCloseHandle
ObCreateObject
ObCreateObjectType
ObDereferenceObject
ObDereferenceSecurityDescriptor
ObFindHandleForObject
ObGetObjectSecurity
ObInsertObject
ObLogSecurityDescriptor
ObMakeTemporaryObject
ObOpenObjectByName
ObOpenObjectByPointer
ObQueryNameString
ObQueryObjectAuditingByHandle
ObReferenceObjectByHandle
ObReferenceObjectByName
ObReferenceObjectByPointer
ObReferenceSecurityDescriptor
ObReleaseObjectSecurity
ObSetHandleAttributes
ObSetSecurityDescriptorInfo
ObSetSecurityObjectByPointer
ObfDereferenceObject
ObfReferenceObject
ProbeForRead
ProbeForWrite
PsAssignImpersonationToken
PsChargePoolQuota
PsChargeProcessNonPagedPoolQuota
PsChargeProcessPagedPoolQuota
PsChargeProcessPoolQuota
PsCreateSystemProcess
PsCreateSystemThread
PsDereferenceImpersonationToken
PsDereferencePrimaryToken
PsDisableImpersonation
PsEstablishWin32Callouts
PsGetContextThread
PsGetCurrentProcess
PsGetCurrentProcessId
PsGetCurrentProcessSessionId
PsGetCurrentThread
PsGetCurrentThreadId
PsGetCurrentThreadPreviousMode
PsGetCurrentThreadStackBase
PsGetCurrentThreadStackLimit
PsGetJobLock
PsGetJobSessionId
PsGetJobUIRestrictionsClass
PsGetProcessCreateTimeQuadPart
PsGetProcessDebugPort
PsGetProcessExitProcessCalled
PsGetProcessExitStatus
PsGetProcessExitTime
PsGetProcessId
PsGetProcessImageFileName
PsGetProcessInheritedFromUniqueProcessId
PsGetProcessJob
PsGetProcessPeb
PsGetProcessPriorityClass
PsGetProcessSectionBaseAddress
PsGetProcessSecurityPort
PsGetProcessSessionId
PsGetProcessWin32Process
PsGetProcessWin32WindowStation
PsGetThreadFreezeCount
PsGetThreadHardErrorsAreDisabled
PsGetThreadId
PsGetThreadProcess
PsGetThreadProcessId
PsGetThreadSessionId
PsGetThreadTeb
PsGetThreadWin32Thread
PsGetVersion
PsImpersonateClient
PsInitialSystemProcess
PsIsProcessBeingDebugged
PsIsSystemThread
PsIsThreadImpersonating
PsIsThreadTerminating
PsJobType
PsLookupProcessByProcessId
PsLookupProcessThreadByCid
PsLookupThreadByThreadId
PsProcessType
PsReferenceImpersonationToken
PsReferencePrimaryToken
PsRemoveCreateThreadNotifyRoutine
PsRemoveLoadImageNotifyRoutine
PsRestoreImpersonation
PsReturnPoolQuota
PsReturnProcessNonPagedPoolQuota
PsReturnProcessPagedPoolQuota
PsRevertThreadToSelf
PsRevertToSelf
PsSetContextThread
PsSetCreateProcessNotifyRoutine
PsSetCreateThreadNotifyRoutine
PsSetJobUIRestrictionsClass
PsSetLegoNotifyRoutine
PsSetLoadImageNotifyRoutine
PsSetProcessPriorityByClass
PsSetProcessPriorityClass
PsSetProcessSecurityPort
PsSetProcessWin32Process
PsSetProcessWindowStation
PsSetThreadHardErrorsAreDisabled
PsSetThreadWin32Thread
PsTerminateSystemThread
PsThreadType
ZwAccessCheckAndAuditAlarm
ZwAddBootEntry
ZwAdjustPrivilegesToken
ZwAlertThread
ZwAllocateVirtualMemory
ZwAssignProcessToJobObject
ZwCancelIoFile
ZwCancelTimer
ZwClearEvent
ZwClose
ZwCloseObjectAuditAlarm
ZwConnectPort
ZwCreateDirectoryObject
ZwCreateEvent
ZwCreateFile
ZwCreateJobObject
ZwCreateKey
ZwCreateSection
ZwCreateSymbolicLinkObject
ZwCreateTimer
ZwDeleteBootEntry
ZwDeleteFile
ZwDeleteKey
ZwDeleteValueKey
ZwDeviceIoControlFile
ZwDisplayString
ZwDuplicateObject
ZwDuplicateToken
ZwEnumerateBootEntries
ZwEnumerateKey
ZwEnumerateValueKey
ZwFlushInstructionCache
ZwFlushKey
ZwFlushVirtualMemory
ZwFreeVirtualMemory
ZwFsControlFile
ZwInitiatePowerAction
ZwIsProcessInJob
ZwLoadDriver
ZwLoadKey
ZwMakeTemporaryObject
ZwMapViewOfSection
ZwNotifyChangeKey
ZwOpenDirectoryObject
ZwOpenEvent
ZwOpenFile
ZwOpenJobObject
ZwOpenKey
ZwOpenProcess
ZwOpenProcessToken
ZwOpenProcessTokenEx
ZwOpenSection
ZwOpenSymbolicLinkObject
ZwOpenThread
ZwOpenThreadToken
ZwOpenThreadTokenEx
ZwOpenTimer
ZwPowerInformation
ZwPulseEvent
ZwQueryBootEntryOrder
ZwQueryBootOptions
ZwQueryDefaultLocale
ZwQueryDefaultUILanguage
ZwQueryDirectoryFile
ZwQueryDirectoryObject
ZwQueryEaFile
ZwQueryFullAttributesFile
ZwQueryInformationFile
ZwQueryInformationJobObject
ZwQueryInformationProcess
ZwQueryInformationThread
ZwQueryInformationToken
ZwQueryInstallUILanguage
ZwQueryKey
ZwQueryObject
ZwQuerySection
ZwQuerySecurityObject
ZwQuerySymbolicLinkObject
ZwQuerySystemInformation
ZwQueryValueKey
ZwQueryVolumeInformationFile
ZwReadFile
ZwReplaceKey
ZwRequestWaitReplyPort
ZwResetEvent
ZwRestoreKey
ZwSaveKey
ZwSaveKeyEx
ZwSetBootEntryOrder
ZwSetBootOptions
ZwSetDefaultLocale
ZwSetDefaultUILanguage
ZwSetEaFile
ZwSetEvent
ZwSetInformationFile
ZwSetInformationJobObject
ZwSetInformationObject
ZwSetInformationProcess
ZwSetInformationThread
ZwSetSecurityObject
ZwSetSystemInformation
ZwSetSystemTime
ZwSetTimer
ZwSetValueKey
ZwSetVolumeInformationFile
ZwTerminateJobObject
ZwTerminateProcess
ZwTranslateFilePath
ZwUnloadDriver
ZwUnloadKey
ZwUnmapViewOfSection
ZwWaitForMultipleObjects
ZwWaitForSingleObject
ZwWriteFile
ZwYieldExecution

[ 本帖最后由 黄金马甲出租 于 2008-6-23 20:31 编辑 ]

spiha

很多人误认为hips如果有白名单就能够智能判断 就能成为微点了  他们为什么不想想 假如微点没有白名单拿掉白名单的话 会不会拦截正常软件的行为？
不会！ 而HIPS却会拦截  答案就是微点具有识别判断正常程序行为的能力  hips不具备判断正常程序行为的能力--这是HIPS和微点的最根本区别之一  

可怜的楼主ww
已经有人拿过微点白名单的 winrar一样报毒ww
忘记了是k还是石头

另外别小看这些测试 现在只是未实用化阶段而已

[ 本帖最后由 spiha 于 2008-6-23 20:27 编辑 ]